RBAC hides the Office 365 Mailbox creation link

If you have configured Exchange 2013 in hybrid mode then you have probably noticed the appearance of this link. It’s the Office 365 Mailbox creation link.

However, if you have implemented RBAC this link may not show when you’d expect it to.

I ran into this recently when upgrading an Exchange 2010 hybrid environment to 2013. Previously the client had implemented RBAC where members of the helpdesk team were added to the Recipient Management group. In 2010 this allowed the helpdesk team to create and manage mail recipients; both on-premise and in the cloud. However, when this group attempted to use the 2013 management tools the Office 365 Mailbox link was absent.

After some digging–plus some trial and error–we quickly found an oddity. The short answer–its all based around one missing role entry. To see that link you need access to the Get-RemoteDomain command. Members of Recipient Management do not have this.

Seems odd though. Why wouldn’t Recipient Management have this cmdlet? It’s only a Get verb after all. Not much damage you can do with that.

If we dig into RBAC lets see which roles are assigned the Get-RemoteDomain command.

That’s a ton of cmdlets! Over two-hundred. While the vast majority of these are harmless Get verbs, its way more than I want the helpdesk team to see. The View-Only Configuration role is effectively a read-only admin for the entire Exchange environment.

I am trying to implement least privilege so, these two roles don’t work for me. We will need to create a new role. Let’s use the View-Only Configuration as the parent.

By default, this new role inherits all entries from its parent. We don’t need these. However, we want to make sure we don’t remove the Get-RemoteDomain cmdlet. To remove every entry except Get-RemoteDomain, issue the following command. Press “A” to confirm the removal of all entries.

Thanks so much for this. I was in the same scenario; trying to allow my service desk staff access to create Office 365 mailboxes, but “Recipient Management” didn’t have the option in the new mailbox drop-down, despite the documentation telling me that that role should give remote recipient management. You may interested to know that a Microsoft support rep linked me to this page; I suppose they haven’t documented it themselves anywhere. 😛

I knew which management roles the link appeared on. So that was my starting point. Then I examined what cmdlets they had that Recipient Management did not. Then it was a bit of trial and error by adding/removing cmdlets until the link appeared.